THE INFORMATION Commissioner’s Office (ICO) has fined hotel group Marriott International £18.4 million for the company’s failure to keep millions of customers’ personal data secure.
Marriott International estimates that 339 million guest records worldwide were affected following a cyber attack that took place back in 2014 and involved Starwood Hotels and Resorts Worldwide Inc. The attack, which emanated from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.
The personal data involved differed between individuals, but may have included names, e-mail addresses, telephone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP statuses and loyalty programme membership numbers.
The precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people resident here in the UK.
The ICO’s investigation found that there were failures by Marriott International to put appropriate technical or organisational measures in place in order to protect the personal data being processed on its systems as required by the General Data Protection Regulation (GDPR).
Information Commissioner Elizabeth Denham commented: “Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott International’s failure. Thousands contacted a Helpline, while others may have had to take action to protect their personal data because the company they trusted it to had not done so. When a business fails to look after its customers’ data, the impact is not just a possible fine. What matters most is the public whose data they had a duty to protect.”
Intent to fine
The ICO’s investigation traced the cyber attack back to 2014, but the penalty only relates to the breach from 25 May 2018, when new rules under the GDPR came into effect.
Due to the fact that the breach happened before the UK left the European Union (EU), the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU data protection authorities through the GDPR’s co-operation process.
In July last year, the ICO issued Marriott International with a notice of intent to fine. As part of the regulatory process, the ICO considered representations from Marriott International, the steps that the company took to mitigate the effects of the incident and the economic impact of COVID-19 on its business before setting a final penalty.
Details of the attack
In 2014, an unknown attacker installed a piece of code known as a `web shell’ on to a device in the Starwood system, subsequently giving them the ability to access and edit the contents of this device remotely.
This access was exploited in order to install malware, enabling the attacker to have remote access to the system as a privileged user. As a result, the attacker would have had unrestricted access to the relevant device, as well as other devices on the network to which that account would have had access.
Further tools were installed by the attacker to gather login credentials for additional users within the Starwood network. With these credentials, the database storing reservation data for Starwood customers was accessed and exported by the attacker.
The ICO fully acknowledges that Marriott International acted promptly to contact customers and the ICO. It also acted quickly to mitigate the risk of damage suffered by those customers affected and has since instigated a number of measures designed to improve the security of its systems.
Adam Rose, partner at law firm Mishcon de Reya, stated: “This decision puts an inordinate strain on a buyer of a company. With all of its due diligence and warranty protections, Marriott International did not uncover the data breach, not least because Starwood didn’t know about it. This sort of decision does little to protect individuals or to help successful businesses grow through acquisitions: Marriott International did all that it reasonably could when making the acquisition, but is now facing a large, albeit reduced fine.”